On Tue, Jul 23, 2024 at 11:19 AM Christian Brauner <brauner@xxxxxxxxxx> wrote: > The same logic extends to security modules. Both selinux and smack > handle MAY_NOT_BLOCK calls from security_inode_permission() with e.g., > selinux returning -ECHILD in case the inode security context isn't > properly initialized causing the VFS to drop into ref walking mode and > allowing selinux to redo the initialization. Since we are talking mostly about the destruction of an inode, it is worth mentioning that the SELinux -ECHILD case that Christian is referring to isn't a common occurrence as SELinux only invalidates inode labels on network filesystems under certain circumstances (chase the security_inode_invalidate_secctx() hook). On most normal SELinux systems inodes are labeled as part of the creation process so long as a SELinux policy is loaded into the kernel; this does mean that there is a window during early boot where the inodes are in an invalid state, but they are properly initialized later (there are different ways this could happen). For local filesystems with inodes created after the SELinux policy is loaded, inodes have a valid SELinux label from their very creation up until their memory is released. -- paul-moore.com
